Enable FileVault for non-admin account

tc_pmg
New Contributor II

Our setup has a generic local admin account to all enrolled macOS devices.

We have a policy for FileVault that triggers on logout. I know this can be bypassed but the current workflow works for now until I can get my scenario to work.

Our current fleet has encrypted and unencrypted devices.

We also have a number of devices prepped, ready to be assigned and not yet encrypted. These prepped machines will have the local admin account and then get delivered to our assigned users. We use Jamf Connect's Microsoft 365 login to allow assigned users a way to create their local user profile.

For the devices that are assigned and not yet encrypted, the assigned users have been canceling the encryption popup to bypass the encryption process.

 

Ideal scenario:

  • Do not enforce our FileVault policy to these devices that has not yet been logged in by the end users.
  • After an end user has logged into the device, it will create a local user account which will not have administrator privileges. At this point I'd want the device to run the FileVault policy and trigger will be At Next Login to force FileVault encryption.

 

My question is, what steps works best to meet the ideal scenario to enforce the FileVault trigger for only assigned users? (i.e. Smart Groups OR the policy's Custom Event OR another method OR a combination).

 

TYIA!

1 REPLY 1

akw0045
New Contributor III

I wouldn't have a policy trigger the Filevault but let Jamf Connect enable it. Jamf connect doesn't have the pop up. It's just encrypted by the time the account creation is completed.